(upbeat music) >> Hey, welcome back everybody. Jeff Frick here with theCUBE. We're at the RSA Conference in downtown San Francisco. We're live, it's 40,000 people all talking about security, and we're excited for a first-time attendee of RSA. We're joined by John Smith, a solutions architect from ExtraHop Networks. Welcome, John. >> Hey, thanks for having me. >> Absolutely. So you said it's your first time to the RSA Conference? I'm just curious, kind of first impressions of the show? >> Wow. Well, there's certainly a lot of people here. It's the biggest show I've ever been to. We've been to Synergy, HIMSS, a couple of them. I think HIMSS might have more people, but it certainly seems more crowded. People are more involved in the booths here, asking a lot of really good questions. A lot of ones and zeros people at the booth, so you really got to be on your toes (laughs) when you're talking to folks. (Jeff laughs) >> All right, for the people that aren't familiar with ExtraHop, give us kind of the overview, what you guys are all about. >> So we're a real-time IT analytics product that uses wire data to provide, at least in the security space, the biggest play we have is more around surveillance and invisibility. One of the first two controls that SANS recognizes as being, that you need to secure your environment, is asset inventory and the ability to see what applications are running on those assets. A lot of the tools in the security industry try to engineer down to that, to try to give you that. That's one of the, a lot of security people will kind of name that as one of the more difficult things to get. We start there. So we are a wire data analytics, that's kind of the core of what we do, so we don't require any IP addresses, we don't, or, I'm sorry, we don't require any agents, we don't require any SNMP, any ping sweeps or anything like that. If it has an IP address, it can't hide from us. So that means whether it's an IOT device or a medical device that's been compromised, if it's someone who wants to work in the dark and they've got a NACL that's blocking people, the minute they communicate with someone else, they're made and they can't hide from us. So what we've seen in our, with our customer base, is kind of a burgeoning security practice where people are actually using the appliance more in a security use case, and that's probably our fastest-growing use case right now. >> So what was the core of the business before? You said ExtraHop's been around for 10 years, but you're new here. What was kind of the core business before your security practice really grew? >> So the core of the business, and, you know, there's three kind of major areas. There's, we generally use the wire as a data source. So we position the customer to interact directly with the wire and the data that's coming across it. So that can be break, fix, and performance of your different web applications from layer two up to layer seven. A lot of that is business intelligence. We had an online retailer that wanted to know, you know, the average of income of people who filled out their credit app by ZIP code so that they could adjust pricing. That used to be a complicated OLAP job on the back end. We were able to give that to them in real time so that they could see, "Hey, people in this ZIP code make $300 a month more "than people in this ZIP code, we can raise prices here." So business intelligence and break, fix, and performance are big ones, and then of course in the security place, or the security space, where we're able to provide full accountability for every single IP address on the network, has been very powerful. >> Interesting. So you said you had some announcements that you guys are making here at the show? >> Yeah, so we have, are announcing our SaaS offering, which is another, it's basically a machine-learning, a cloud-based machine-learning platform that allows us to do some anomaly detection without the need to, you know, a lot of your cloud-based anomaly detection tools require you to forward terabytes of data so that then they can look at it, analyze it, and then maybe an hour later you get some information that you've been breached or that there's a problem-- >> That, or a day. >> Yeah, or, maybe, yeah. >> Months and months and months. >> Exactly. We're kind of unique in that we're able to, you know, what our Atlas program is able to essentially interrogate systems that are deployed around the world, currently around the U.S., it's a U.S. offering today, but basically we can interrogate those systems for any types of anomalies that happen. Actually, in the run up to the offering, we had a customer that was able to reroute some traffic because they were able to see the mirai botnet was starting to meddle with some of the performance of different parts of their infrastructure. So having the ability to be able to provide customers visibility into what's going on on their networks without the burden of making them FTP data up to you so that then you can evaluate it, one, you don't have the infrastructure burden of sending the data to you and the delay with that, but in addition to that, you're able to provide some real-time visibility. One of the things we've noticed is that the people who have the ability to interpret the data and to kind of parse and tell you when there is an anomaly, they're very overworked and they're spread really thin in a lot of their organizations. We augment that capability by doing some of that heavy lifting for them so that we can say, "Hey, did you know you have 1,000% increase in, you know, "DNS traffic from this particular host?" >> Right. >> That type of visibility that you can do in real time, so that if you have multiple branches around the country, we can provide that visibility from one centralized location. >> Yeah, it's all about the real time, right? Real time is in time, hopefully. >> Real time, and really, the money is in the mash-up, right? We've had a lot of really, one of the things I've noticed over the years is thread intelligence has really matured, and I think that's great, but if you can't marry that with some of your own intelligence that's going on on your own networks, you know, the value is really a lot tougher to realize. If you can ad hoc or if you can engage in some ad hoc thread intelligence by leveraging a platform like ExtraHop that can do the evaluation and thread things like anomalous behavior, that makes your agility to deal with today's threats really, really, a lot more effective. Most threats, as you're probably aware, happen, I think 93% of them happen within a minute. Dealing with that with humans, dealing with that with logs, is, it's really, really tough to do. I love logs and I love humans, but if you can position yourself to engage in programmatically dealing with that, we see orchestration is becoming, you know, kind of an emerging technology, and we're uniquely positioned to be able to interact with any sort of orchestration engines, something like a phantom, you know, things like that, where we can observe some actionable data, and then we have an open platform that can then integrate with the orchestration they're after. >> All right. Well, John, that was a great summary. We're going to leave it there, thanks for stopping by. The money's in the mash-up, did I get it right? >> John And Jeff: The money's in the mash-up. >> Baby. >> All right. >> All right. >> He's John Smith, I'm Jeff Frick. You're watching theCUBE from RSA. >> Thank you. >> Thanks for watching. (upbeat music)

>> Hey, welcome back everybody, Jeff Frick here with The Cube. We're at Data Privacy Day 2018, I still can't believe it's 2018, in downtown San Francisco, at LinkedIn's headquarters, the new headquarters, it's a beautiful building just down the road from the sales force building, from the new Moscone that's being done, there's a lot of exciting things going on in San Francisco, but that's not what we're here to talk about. We're here to talk about data privacy, and we're excited to have a return visit from last year's Cube alumni, she's Eva Velasquez, president and CEO, Identity Theft Resource Center. Great to see you again. >> Thank you for having me back. >> Absolutely, so it's been a year, what's been going on in the last year in your world? >> Well, you know, identity theft hasn't gone away >> Shoot. >> And data-- >> I thought you told me it was last time. >> I know, I wish, and in fact, unfortunately we just released our data breach information, and there was a tremendous growth. It was a little over 1000, previous year, and over 1500 data breaches... in 2017. >> We're almost immune, they're like every day. And it used to be like big news. Now it's like, not only was Yahoo breached at some level, which we heard about a while ago, but then we hear they were actually breached like 100%. >> There is some fatigue, but I can tell you that it's not as pervasive as you might think. Our call center had such a tremendous spike in calls during the Equifax breach. It was the largest number of calls we'd had in a month, since we'd been measuring our call volume. So people were still very, very concerned. But a lot of us who are in this space are feeling, I think we may be feeling the fatigue more than your average consumer out there. Because for a lot of folks, this is really the first exposure to it. We're still having a lot of first exposures to a lot of these issues. >> So the Equifax one is interesting, because most people don't have a direct relationship with Equifax, I don't think. I'm not a direct paying customer, I did not choose to do business with them. But as one of the two or three main reporting agencies, right, they've got data on everybody for their customers who are the banks, financial institutions. So how does that relationship get managed? >> Oh my gosh, there's so much meat there. There's so much meat there. Okay, so, while it feels like you don't have a direct relationship with the credit reporting agencies, you actually do, you get a benefit from the services that they're providing to you. And every time you get a loan, I mean this is a great conversation for Data Privacy Day. Because when you get a loan, get a credit card, and you sign those terms and conditions, guess what? >> They're in there? >> You are giving that retailer, that lender, the authority to send that information over to the credit reporting agencies. And let's not forget that the intention of forming the credit reporting agencies was for better lending practices, so that your creditworthiness was not determined by things like your gender, your race, your religion, and those types of really, I won't say arbitrary, but just not pertinent factors. Now your creditworthiness is determined by your past history of, do you pay your bills? What is your income, do you have the ability to pay? So it started with a good, very good purpose in mind, and we definitely bought into that as a society. And I don't want to sound like I'm defending the credit reporting agencies and all of their behavior out there, because I do think there are some changes that need to be made, but we do get a benefit from the credit reporting agencies, like instant credit, much faster turnaround when we need those financial tools. I mean, that's just the reality of it. >> Right, right. So, who is the person that's then... been breached, I'm trying to think of the right word of the relationship between those who've had their data hacked from the person who was hacked. If it's this kind of indirect third party relationship through an authorization through the credit card company. >> No, the, Equifax is absolutely responsible. >> So who would be the litigant, just maybe that's the word that's coming to me in terms of feeling the pain, is it me as the holder of the Bank of America Mastercard? Is it Bank of America as the issuer of the Mastercard? Or is it Mastercard, in terms of retribution back to Equifax? >> Well you know, I can't really comment on who actually would have the strongest legal liability, but what I can say is, this is the same thing I say when I talk to banks about identity theft victims. There's some discussion about, well, no, it's the bank that's the victim in existing account identity theft, because they're the ones that are absorbing the financial losses. Not the person whose data it belongs to. Yet the person who owns that data, it's their identity credentials that have been compromised. They are dealing with issues as well, above and beyond just the financial compromise. They have to deal with cleaning up other messes and other records, and there's time spent on the phone, so it's not mutually exclusive. They're both victims of this situation. And with data breaches, often the breached entity, again, I hate to sound like an apologist, but I am keeping this real. A breached entity, when they're hacked, they are a victim, a hacker has committed that crime and gone into their systems. Yes, they have a responsibility to make those security systems as robust as possible, but the person whose identity credentials those are, they are the victim. Any entity or institution, if it's payment card data that's compromised, and a financial services institution has to replace that data, guess what, they're a victim too. That's what makes this issue and this crime so terrible, is that it has these tentacles that reach down and touch more than one person for each incident. >> Right. And then there's a whole 'nother level, which we talked about before we got started that we want to dig into, and that's children. Recently, a little roar was raised with these IOT connected toys. And just a big, giant privacy hole, into your kid's bedroom. With eyes and ears and everything else. So wonder if you've got some specific thoughts on how that landscape is evolving. >> Well, we have to think about the data that we're creating. That does comprise our identity. And when we start talking about these toys and other... internet connected, IOT devices that we're putting in our children's bedroom, it actually does make the advocacy part of me, it makes the hair on the back of my neck stand up. Because the more data that we create, the more that it's vulnerable, the more that it's used to comprise our identity, and we have a big enough problem with child identity theft just now, right now as it stands, without adding the rest of these challenges. Child and synthetic identity theft are a huge problem, and that's where a specific Social Security number is submitted and has a credit profile built around it, when it can either be completely made up, or it belongs to a child. And so you have a four year old whose Social Security number is now having a credit profile built around it. Obviously they're not, so the thieves are not submitting this belongs to a four year old, it would not be issued credit. So they're saying it's a, you know, 23 year old-- >> But they're grabbing the number. >> They're grabbing the number, they're using the name, they build this credit profile, and the biggest problem is we really haven't modernized how we're authenticating this information and this data. I think it's interesting and fitting that we're talking about this on Data Privacy Day, because the solution here is actually to share data. It's to share it more. And that's an important part of this whole conversation. We need to be smart about how we share our data. So yes, please, have a thoughtful conversation with yourself and with your family about what are the types of data that you want to share and keep, and what do you want to keep private, but then culturally we need to look at smart ways to open up some data sharing, particularly for these legitimate uses, for fraud detection and prevention. >> Okay, so you said way too much there, 'cause there's like 87 followup questions in my head. (Eva laughs) So we'll step back a couple, so is that synthetic identity, then? Is that what you meant when you said a synthetic identity problem, where it's the Social Security number of a four year old that's then used to construct this, I mean, it's the four year old's Social Security number, but a person that doesn't really exist? >> Yes, all child identity theft is synthetic identity theft, but not all synthetic identity theft is child identity theft. Sometimes it can just be that the number's been made up. It doesn't actually belong to anyone. Now, eventually maybe it will. We are hearing from more and more parents, I'm not going to say this is happening all the time, but I'm starting to hear it a little bit more often, where the Social Security number is being issued to their child, they go to file their taxes, so this child is less than a year old, and they are finding out that that number has a credit history associated with it. That was associated years ago. >> So somebody just generated the number. >> Just made it up. >> So are we ready to be done with Social Security numbers? I mean, for God's sake, I've read numerous things, like the nine-digit number that's printed on a little piece of paper is not protectable, period. And I've even had a case where they say, bring your little paper card that they gave you at the hospital, and I won't tell you what year that was, a long time ago. I'm like, I mean come on, it's 2018. Should that still be the anchor-- >> You super read my mind. >> Data point that it is? >> It was like I was putting that question in your head. >> Oh, it just kills me. >> I've actually been talking quite a bit about that, and it's not that we need to get, quote unquote, get rid of Social Security numbers. Okay, Social Security numbers were developed as an identifier, because we have, you can have John Smith with the same date of birth, and how do we know which one of those 50,000 John Smiths is the one we're looking for? So that unique identifier, it has value. And we should keep that. It's not a good authenticator, it is not a secret. It's not something that I should pretend only I know-- >> Right, I write it on my check when I send my tax return in. Write your number on the check! Oh, that's brilliant. >> Right, right. So it's not, we shouldn't pretend that this is, I'm going to, you, business that doesn't know me, and wants to make sure I am me, in this first initial relationship or interaction that we're having, that's not a good authenticator. That's where we need to come up with a better system. And it probably has to do with layers, and more layers, and it means that it won't be as frictionless for consumers, but I'm really challenging, this is one of our big challenges for 2018, we want to flip that security versus convenience conundrum on its ear and say, no, I really want to challenge consumers to say... I'm happier that I had to jump through those hoops. I feel safer, I think you're respecting my data and my privacy, and my identity more because you made it a little bit harder. And right now it's, no, I don't want to do that because it's a little too, nine seconds! I can't believe it took me nine seconds to get that done. >> Well, yeah, and we have all this technology, we've got fingerprint readers that we're carrying around in our pocket, I mean there's, we've got geolocation, you know, is this person in the place that they generally, and having 'em, there's so many things-- >> It's even more granular >> Beyond a printed piece of >> Than that-- >> paper, right? >> It's the angle at which you look at your phone when you look at it. It's the tension with which you enter your passcode, not just the passcode itself. There are all kinds of very non-invasive biometrics, for lack of a better word. We tend to think of them as just, like our face and our fingerprint, but there are a lot of other biometrics that are non-invasive and not personal. They're not private, they don't feel secret, but we can use them to authenticate ourselves. And that's the big discussion we need to be having. If I want to be smart about my privacy. >> Right. And it's interesting, on the sharing, 'cause we hear that a lot at security conferences, where one of the best defenses is that teams at competing companies, security teams, share data on breach attempts, right? Because probably the same person who tried it against you is trying it against that person, is trying it against that person. And really an effort to try to open up the dialogue at that level, as more of just an us against them versus we're competing against each other in the marketplace 'cause we both sell widgets. So are you seeing that? Is that something that people buy into, where there's a mutual benefit of sharing information to a certain level, so that we can be more armed? >> Oh, for sure, especially when you talk to the folks in the risk and fraud and identity theft mitigation and remediation space. They definitely want more data sharing. And... I'm simply saying that that's an absolutely legitimate use for sharing data. We also need to have conversations with the people who own that data, and who it belongs to, but I think you can make that argument, people get it when I say, do you really feel like the angle at which you hold your phone, is that personal? Couldn't that be helpful, that combined with 10 other data points about you, to help authenticate you? Do you feel like your personal business and life is being invaded by that piece of information? Or compare that to things like your health records. And medical conditions-- >> Mom's maiden name. >> That you're being treated for, well, wow, for sure that feels super, super personal, and I think we need to do that nuance. We need to talk about what data falls into which of these buckets, and on the bucket that isn't super personal, and feeling invasive and that I feel like I need to protect, how can I leverage that to make myself safer? >> Great. Lots of opportunity. >> I think it's there. >> Alright. Eva, thanks for taking a few minutes to stop by. It's such a multi-layered and kind of complex problem that we still feel pretty much early days at trying to solve. >> It's complicated, but we'll get there. More of this kind of dialogue gets us just that much closer. >> Alright, well thanks for taking a few minutes of your day, great to see you again. >> Thanks. >> Alright, she's Eva, I'm Jeff, you're watching The Cube from Data Privacy Days, San Francisco. (techno music)